8-4
T35 Transformer Protection System
GE Multilin
8.2 CYBERSENTRY
8 SECURITY
8
8.2CYBERSENTRY
8.2.1 OVERVIEW
CyberSentry Embedded Security is a software option that provides advanced security services through the following:
•
An Authentication, Authorization, Accounting (AAA) Remote Authentication Dial-In User Service (RADIUS) client that
is centrally managed, enables user attribution, provides accounting of all user activities, and uses secure standards-
based strong cryptography for authentication and credential protection.
•
A Role-Based Access Control (RBAC) system that provides a permission model that allows access to UR device oper-
ations and configurations based on specific roles and individual user accounts configured on the AAA server (that is,
Administrator, Supervisor, Engineer, Operator, Observer).
•
Security event reporting through the Syslog protocol for supporting Security Information Event Management (SIEM)
systems for centralized cybersecurity monitoring.
•
Strong encryption of all access and configuration network messages between the EnerVista software and UR devices
using the Secure Shell (SSH) protocol, the Advanced Encryption Standard (AES), and 128-bit keys in Galois Counter
Mode (GCM) as specified in the U.S. National Security Agency Suite B extension for SSH and approved by the
National Institute of Standards and Technology (NIST) FIPS-140-2 standards for cryptographic systems.
Example:
Administrative functions can be segmented away from common operator functions, or engineering type access,
all of which are defined by separate roles, as shown in the following figure, so that access of UR devices by multiple per-
sonnel within a substation is allowed. Permission for each role are outlined in the table later in this section.
Figure 8–1: CYBERSENTRY USER ROLES
There are two types of authentication supported by CyberSentry that can be used to access the UR device:
•
Local Authentication (local UR device authenticates)
•
Remote Authentication (RADIUS server authenticates)
The EnerVista software allows access to functionality that is determined by the user role, which comes either from the local
UR device or RADIUS server.
The EnerVista software has a local authentication option on the login screen for accessing the UR device. When the "Local"
button is selected, the UR uses its local authentication database and not the RADIUS server to authenticate the user. In this
case, it uses its built-in roles (Administrator, Engineer, Supervisor, Observer, Operator) as login names and the associated
passwords are stored on the UR device. As such, when using the local accounts, access is not user-attributable.
Summary of Contents for T35 UR Series
Page 10: ...x T35 Transformer Protection System GE Multilin TABLE OF CONTENTS ...
Page 48: ...2 18 T35 Transformer Protection System GE Multilin 2 2 SPECIFICATIONS 2 PRODUCT DESCRIPTION 2 ...
Page 314: ...5 192 T35 Transformer Protection System GE Multilin 5 10 TESTING 5 SETTINGS 5 ...
Page 338: ...6 24 T35 Transformer Protection System GE Multilin 6 5 PRODUCT INFORMATION 6 ACTUAL VALUES 6 ...
Page 350: ...7 12 T35 Transformer Protection System GE Multilin 7 2 TARGETS 7 COMMANDS AND TARGETS 7 ...
Page 366: ...8 16 T35 Transformer Protection System GE Multilin 8 2 CYBERSENTRY 8 SECURITY 8 ...
Page 406: ...A 14 T35 Transformer Protection System GE Multilin A 1 PARAMETER LISTS APPENDIX A A ...
Page 540: ...D 10 T35 Transformer Protection System GE Multilin D 1 IEC 60870 5 104 PROTOCOL APPENDIX D D ...
Page 552: ...E 12 T35 Transformer Protection System GE Multilin E 2 DNP POINT LISTS APPENDIX E E ...
Page 560: ...F 8 T35 Transformer Protection System GE Multilin F 3 WARRANTY APPENDIX F F ...